Implement an aggregator in the worker

Author: mendess

Cargo.lock

@@ -56,6 +56,7 @@ hpke-rs = "0.2.0"
 hpke-rs-crypto = "0.2.0"
 hpke-rs-rust-crypto = "0.2.0"
 http = "1"
+http-body-util = "0.1.2"
 mappable-rc = "0.1.1"
 matchit = "0.7.3"
 p256 = { version = "0.13.2", features = ["ecdsa-core", "ecdsa", "pem"] }
@@ -76,6 +77,7 @@ serde = { version = "1.0.203", features = ["derive"] }
 serde-wasm-bindgen = "0.6.5"
 serde_json = "1.0.118"
 serde_yaml = "0.9.33"
+static_assertions = "1"
 strum = { version = "0.26.3", features = ["derive"] }
 subtle = "2.6.1"
 thiserror = "1.0.61"
@@ -87,7 +89,7 @@ tracing-core = "0.1.32"
 tracing-subscriber = "0.3.18"
 url = { version = "2.5.4", features = ["serde"] }
 webpki = "0.22.4"
-worker = { version = "0.4", features = ["http"] }
+worker = { version = "0.5", features = ["http"] }
 x509-parser = "0.15.1"
 
 [workspace.dependencies.sentry]

Cargo.toml

@@ -21,6 +21,16 @@ helper:
 		-c ./crates/daphne-server/examples/configuration-helper.toml
 h: helper
 
+helper-worker:
+	cd ./crates/daphne-worker-test/ && \
+		wrangler dev -c wrangler.aggregator.toml --port 8788 -e helper
+hw: helper-worker
+
+leader-worker:
+	cd ./crates/daphne-worker-test/ && \
+		wrangler dev -c wrangler.aggregator.toml --port 8788 -e leader
+lw: leader-worker
+
 storage-proxy:
 	docker compose -f ./crates/daphne-worker-test/docker-compose-storage-proxy.yaml up --build
 s: storage-proxy

Makefile

@@ -1,7 +1,7 @@
 // Copyright (c) 2022 Cloudflare, Inc. All rights reserved.
 // SPDX-License-Identifier: BSD-3-Clause
 
-use daphne_worker::initialize_tracing;
+use daphne_worker::{aggregator::App, initialize_tracing};
 use tracing::info;
 use worker::{event, Env, HttpRequest};
 
@@ -26,5 +26,29 @@ pub async fn main(
 
     info!(method = ?req.method(), "{}", req.uri().path());
 
-    Ok(daphne_worker::storage_proxy::handle_request(req, env, &prometheus::Registry::new()).await)
+    let registry = prometheus::Registry::new();
+    let response = match env
+        .var("DAP_WORKER_MODE")
+        .map(|t| t.to_string())
+        .ok()
+        .as_deref()
+    {
+        Some("storage-proxy") | None => {
+            daphne_worker::storage_proxy::handle_request(req, env, &registry).await
+        }
+        Some("aggregator") => {
+            daphne_worker::aggregator::handle_dap_request(
+                App::new(env, &registry, None).unwrap(),
+                req,
+            )
+            .await
+        }
+        Some(invalid) => {
+            return Err(worker::Error::RustError(format!(
+                "{invalid} is not a valid DAP_WORKER_MODE"
+            )))
+        }
+    };
+
+    Ok(response)
 }

crates/daphne-worker-test/src/lib.rs

@@ -0,0 +1,157 @@
+# Copyright (c) 2024 Cloudflare, Inc. All rights reserved.
+# SPDX-License-Identifier: BSD-3-Clause
+
+main = "build/worker/shim.mjs"
+compatibility_date = "2023-12-21"
+
+# Don't ask to send metrics to Cloudflare. The worker may be run from a container.
+send_metrics = false
+
+# Before starting the worker, run `worker-build`.
+[build]
+command = "worker-build --dev"
+
+[[rules]]
+globs = ["**/*.wasm"]
+type = "CompiledWasm"
+fallthrough = false
+
+# NOTE: Variables marked as SECRET need to be provisioned securely in
+# production. In particular, they will not be passed as environment variables
+# as they are here. See
+# https://developers.cloudflare.com/workers/wrangler/commands/#secret.
+
+[env.helper]
+name = "daphne-helper-aggregator"
+
+[env.helper.vars]
+DAP_DEPLOYMENT = "dev"
+DAP_WORKER_MODE = "aggregator"
+DAP_DURABLE_HELPER_STATE_STORE_GC_AFTER_SECS = "30"
+DAP_DURABLE_AGGREGATE_STORE_GC_AFTER_SECS = "30"
+
+# SECRET
+TASKPROV_SECRETS_ENABLED = "true"
+TASKPROV_SECRETS_VDAF_VERIFY_KEY_INIT = "b029a72fa327931a5cb643dcadcaafa098fcbfac07d990cb9e7c9a8675fafb18"
+TASKPROV_SECRETS_PEER_AUTH_EXPECT_LEADER_TOKEN = "I-am-the-leader"
+
+[env.helper.vars.SERVICE_CONFIG]
+env = "oxy"
+role = "helper"
+max_batch_duration = 360000
+min_batch_interval_start = 259200
+max_batch_interval_end = 259200
+supported_hpke_kems = ["x25519_hkdf_sha256"]
+default_version = "v09"
+report_storage_epoch_duration = 300000
+base_url = "http://127.0.0.1:8788"
+default_num_agg_span_shards = 4
+
+[env.helper.vars.TASKPROV_HPKE_COLLECTOR_CONFIG]
+id = 23
+kem_id = "p256_hkdf_sha256"
+kdf_id = "hkdf_sha256"
+aead_id = "aes128_gcm"
+public_key = "047dab625e0d269abcc28c611bebf5a60987ddf7e23df0e0aa343e5774ad81a1d0160d9252b82b4b5c52354205f5ec945645cb79facff8d85c9c31b490cdf35466"
+
+[dev]
+ip = "0.0.0.0"
+
+[env.helper.durable_objects]
+bindings = [
+    { name = "DAP_AGGREGATE_STORE", class_name = "AggregateStore" },
+    { name = "DAP_TEST_STATE_CLEANER", class_name = "TestStateCleaner" },
+]
+
+
+[[env.helper.kv_namespaces]]
+binding = "DAP_CONFIG"
+# KV bindings are in a looked up in a namespace identified by a 16-byte id number.
+# This number is assigned by calling
+#
+#    wrangler kv:namespace create <NAME>
+#
+# for some unique name you specify, and it returns a unique id number to use.
+# Here we should use something like "leader" for the <NAME>.
+id = "<assign-one-for-the-leader>"
+# A "preview id" is an id used when running in "wrangler dev" mode locally, and
+# can just be made up.  We generated the number below with the following python
+# code:
+#
+#    import secrets
+#    print(secrets.token_hex(16))
+#
+preview_id = "24c4dc92d5cf4680e508fe18eb8f0281"
+
+[env.leader]
+name = "daphne-leader-aggregator"
+
+[env.leader.vars]
+DAP_DEPLOYMENT = "dev"
+DAP_WORKER_MODE = "aggregator"
+DAP_DURABLE_HELPER_STATE_STORE_GC_AFTER_SECS = "30"
+DAP_DURABLE_AGGREGATE_STORE_GC_AFTER_SECS = "30"
+
+# SECRET
+TASKPROV_SECRETS_ENABLED = "true"
+TASKPROV_SECRETS_VDAF_VERIFY_KEY_INIT = "b029a72fa327931a5cb643dcadcaafa098fcbfac07d990cb9e7c9a8675fafb18"
+TASKPROV_SECRETS_PEER_AUTH_EXPECT_COLLECTOR_TOKEN = "I-am-the-collector"
+TASKPROV_SECRETS_SELF_BEARER_TOKEN = "I-am-the-leader"
+
+[env.leader.vars.SERVICE_CONFIG]
+env = "oxy"
+role = "leader"
+max_batch_duration = 360000
+min_batch_interval_start = 259200
+max_batch_interval_end = 259200
+supported_hpke_kems = ["x25519_hkdf_sha256"]
+default_version = "v09"
+report_storage_epoch_duration = 300000
+base_url = "http://127.0.0.1:8787"
+default_num_agg_span_shards = 4
+
+[env.leader.vars.TASKPROV_HPKE_COLLECTOR_CONFIG]
+id = 23
+kem_id = "p256_hkdf_sha256"
+kdf_id = "hkdf_sha256"
+aead_id = "aes128_gcm"
+public_key = "047dab625e0d269abcc28c611bebf5a60987ddf7e23df0e0aa343e5774ad81a1d0160d9252b82b4b5c52354205f5ec945645cb79facff8d85c9c31b490cdf35466"
+
+[env.leader.durable_objects]
+bindings = [
+    { name = "DAP_AGGREGATE_STORE", class_name = "AggregateStore" },
+    { name = "DAP_TEST_STATE_CLEANER", class_name = "TestStateCleaner" },
+]
+
+[[env.leader.kv_namespaces]]
+binding = "DAP_CONFIG"
+# KV bindings are in a looked up in a namespace identified by a 16-byte id number.
+# This number is assigned by calling
+#
+#    wrangler kv:namespace create <NAME>
+#
+# for some unique name you specify, and it returns a unique id number to use.
+# Here we should use something like "leader" for the <NAME>.
+id = "<assign-one-for-the-leader>"
+# A "preview id" is an id used when running in "wrangler dev" mode locally, and
+# can just be made up.  We generated the number below with the following python
+# code:
+#
+#    import secrets
+#    print(secrets.token_hex(16))
+#
+preview_id = "24c4dc92d5cf4680e508fe18eb8f0281"
+
+[[migrations]]
+tag = "v1"
+new_classes = [
+    "AggregateStore",
+    "GarbageCollector",
+    "HelperStateStore",
+]
+
+[[migrations]]
+tag = "v2"
+renamed_classes = [
+    { from = "GarbageCollector", to = "TestStateCleaner" },
+]

crates/daphne-worker-test/wrangler.aggregator.toml

@@ -16,32 +16,44 @@ description = "Workers backend for Daphne"
 crate-type = ["cdylib", "rlib"]
 
 [dependencies]
-axum.workspace = true
+async-trait = { workspace = true }
 axum-extra = { workspace = true, features = ["typed-header"] }
 bytes.workspace = true
 chrono = { workspace = true, default-features = false, features = ["clock", "wasmbind"] }
 constcat.workspace = true
 daphne = { path = "../daphne", features = ["prometheus"] }
-futures = { workspace = true, optional = true }
+either = { workspace = true }
+futures = { workspace = true }
 # We don't use getrandom directly but this allows us to enable the 'js' feature
 # of getrandom in the crates we depend on, that depend on getrandom
 getrandom = { workspace = true, features = ["js"] }
 headers.workspace = true
 hex.workspace = true
+http-body-util.workspace = true
 http.workspace = true
-prio_draft09.workspace = true
+mappable-rc.workspace = true
+p256 = { workspace = true }
 prio.workspace = true
+prio_draft09.workspace = true
 prometheus.workspace = true
 rand.workspace = true
+reqwest.workspace = true
 serde-wasm-bindgen.workspace = true
 serde.workspace = true
 serde_json.workspace = true
+static_assertions.workspace = true
+thiserror.workspace = true
+tower-service.workspace = true
+tower.workspace = true
 tracing-core.workspace = true
 tracing-subscriber = { workspace = true, features = ["env-filter", "json"]}
 tracing.workspace = true
 url.workspace = true
 worker.workspace = true
-tower-service.workspace = true
+
+[dependencies.axum]
+workspace = true
+features = ["query", "json", "http1", "http2"]
 
 [dependencies.daphne-service-utils]
 path = "../daphne-service-utils"
@@ -50,10 +62,13 @@ features = ["durable_requests"]
 [dev-dependencies]
 daphne = { path = "../daphne", features = ["test-utils"] }
 paste.workspace = true
+rcgen.workspace = true
 reqwest.workspace = true # used in doc tests
+tokio.workspace = true
+webpki.workspace = true
 
 [features]
-test-utils = ["daphne-service-utils/test-utils", "dep:futures"]
+test-utils = ["daphne-service-utils/test-utils"]
 
 [lints]
 workspace = true

crates/daphne-worker/Cargo.toml

@@ -2,5 +2,6 @@
 # SPDX-License-Identifier: BSD-3-Clause
 
 disallowed-methods = [
-    { path = "std::time::Instant::now", reason = "not implemented in wasm" },
+    { path = "std::time::Instant::now", reason = "not implemented in wasm. Use worker::Date::now()" },
+    { path = "std::time::SystemTime::now", reason = "not implemented in wasm. Use worker::Date::now()" },
 ]